SCFuzzbench Live

Smart-contract fuzzing is automated break-testing: software hammers a contract with random and guided inputs to see whether core safety rules ever fail. SCFuzzbench is turning that process into a live public benchmark for DeFi code. (scfuzzbench.com) SCFuzzbench says it focuses on “stateful invariant testing,” which means checking rules that must stay true across many transactions, not just one call. Its benchmark currently lists Foundry, Echidna, and Medusa as supported fuzzers, and Aave v4, Superform v2-periphery, Liquity v2 Governance, and Nerite as target projects. (scfuzzbench.com) The project’s public benchmark page shows recent runs in late February and early March 2026, with jobs lasting from 1 hour to 24 hours on AWS c6a instances. One March 6 run on Aave v4 used four instances and compared Echidna 2.3.1, Foundry v1.6.0-rc1, and Medusa 1.4.1. (scfuzzbench.com) The “live” part is the funding model described by project backers as a quadratic-funding experiment: money is meant to flow toward tools that more people support, while the benchmark measures how those tools perform on real contracts. The result is a public test bed where incentives and security tooling are tied together instead of handled separately. (x.com) (scfuzzbench.com) That setup borrows from Google’s FuzzBench, which was built to compare fuzzers on real-world software under reproducible conditions. Google says FuzzBench has run more than 150 experiments for external users since its March 2020 release, and SCFuzzbench applies that benchmarking idea to Solidity and DeFi invariants. (research.google) (google.github.io) The problem SCFuzzbench is targeting is well documented in the research literature: smart-contract fuzzers still miss too many bugs, and evaluation methods vary widely across papers and tools. A 2024 academic study comparing 11 smart-contract fuzzers said the state of the art remained “far from satisfactory” for vulnerability detection. (arxiv.org) SCFuzzbench’s own inclusion rules are narrow. A tool must be open source and able to run both assertion failures and global invariants, which is why the site says Orca, ItyFuzz, Wake, and Harvey are excluded for now. (scfuzzbench.com) Its methodology also emphasizes repeated runs, pinned versions, equivalent infrastructure, and published artifacts for outside review. Those details matter because fuzzers are noisy systems: a tool can look stronger or weaker depending on timeout length, harness design, and random seeds. (scfuzzbench.com 1) (scfuzzbench.com 2) For DeFi teams, the practical unit is the invariant — a rule like “total collateral must cover debt” or “a user cannot withdraw more than the protocol allows.” SCFuzzbench is effectively asking which tool breaks those rules fastest, most often, and under the same conditions. (scfuzzbench.com) If the experiment keeps attracting protocols, fuzzers, and donors, the benchmark becomes more than a leaderboard. It becomes a standing market for finding broken assumptions in live financial code before attackers do. (scfuzzbench.com) (x.com)